Powered by Activated Charcoal Making Sense of Endpoint Data Company Confidential
Greg Foss Sarah Miller Head of Global Security Operations Threat Intelligence Analyst LogRhythm Carbon Black
The Endpoint is the new Perimeter
The easiest path into any network… Company Confidential
Social Engineering Nothing like a little pretext to get people to click on your links… Company Confidential
Phishing • 91% of ‘advanced’ attacks began with a phishing email • or similar social engineering tactics. http://www.infosecurity-magazine.com/view/29562/91-of- • apt-attacks-start-with-a-spearphishing-email/ 2014 Metrics • Average cost per breach => $3.5 million • 15% Higher than the previous year • http://www.ponemon.org/blog/ponemon-institute- • releases-2014-cost-of-data-breach-global-analysis Company Confidential
Drive By Downloads, Malvertizing, and Watering Hole Attacks Image Source: Company Confidential https://blog.kaspersky.com/what-is-malvertising/5928/
Company Confidential
Training is Critical to Success
Key Focus Areas: • Employees Image Source: http://www.cloudpro.co.uk/hr/5803/gov-offers-hr-workers-free-cyber-security-training Company Confidential
End User Tips - Phishing Company Confidential
All You Need is + Company Confidential
Shortened URL Tracking Company Confidential
Feedback Loop Company Confidential
Testing and Validation
Rogue Wi-Fi Network – Threat Simulation Company Confidential
USB Drop – Training Exercise : Case Study Company Confidential
Building a Believable Campaign Use realistic files with somewhat realistic data Staged approach to track file access and exploitation Company Confidential
“Nobody’s going to an an exe from some random USB” - Greg Yep… They ran it... Company Confidential
Now we have our foothold… Fortunately they didn’t run this as an admin Company Confidential
Company Confidential
Key Focus Areas: • Employees • IT Staff • Roles and Responsibilities • Incident Response Duties • Configuration Monitoring • Malware Removal • Security Infrastructure Company Confidential
Key Focus Areas: • Employees • IT Staff • Security Staff • Table Top and Red vs Blue Exercises • Threat Simulation Leads to Process Improvement • Announced vs Unannounced Simulations or Penetration Testing Company Confidential
Purple Team FTW! • Employees • IT Staff • Security Staff • Table Top and Red vs Blue Exercises • Threat Simulation Leads to Process Improvement • Announced vs Unannounced Simulations or Penetration Testing Company Confidential
Key Focus Areas: • Employees • IT Staff • Security Staff • Leadership Company Confidential
Key Focus Areas: • Employees • IT Staff • Security Staff • Leadership • Processes and Procedures Company Confidential
Continuous Monitoring and Detection
Automating OSINT and Response API Integration SecOps Infrastructure Domain Tools Netflow / IDS Passive Total Firewalls VirusTotal Proxy / DNS SIEM Cisco AMP ThreatGRID Endpoint Company Confidential
Company Confidential
Malware Beaconing Company Confidential
Company Confidential
Malware Beaconing Company Confidential
Correlate Network / Log Activity with Endpoint Data Company Confidential
Macro Phishing Attacks • Common • Bypasses Most AV • Heavily Obfuscated • Newer attacks targeting Office 365 Company Confidential
Macro Attack Detection Company Confidential
Full Command Line Details Company Confidential
Full Command Line Details Company Confidential
Be Careful – Don’t Jump To Conclusions… Company Confidential
Centralized Logging and Event Management
Company Confidential
Threat Feed Configuration Company Confidential
Full Event Alerting Company Confidential
Syslog Only Company Confidential
Tuning Feeds Company Confidential
Watchlist Configuration Company Confidential
Carbon Black Event Forwarder LogRhythm => Use LEEF Format https://github.com/carbonblack/cb-event-forwarder Company Confidential
Dashboards and Investigations
Company Confidential
Company Confidential
Company Confidential
Company Confidential
Company Confidential
Company Confidential
Long Tail Analysis Strange activity can bubble to the surface when viewing the whole picture Company Confidential
Company Confidential
Company Confidential
Taking it a Step Further…
Additional Integration Alarming Trigger on Specific Watch List Hits Company Confidential
Additional Integration Alarming Admin Tracking Company Confidential
Additional Integration Alarming Admin Tracking Reporting Company Confidential
Additional Integration Alarming Admin Tracking Reporting Automation Perform Actions Based on Alarms Observed Company Confidential
Thank You! QUESTIONS? Greg Foss Sarah Miller Greg . Foss [at] LogRhythm . com SMiller [at] CarbonBlack . com @heinzarelli @beyazfar3 Company Confidential
Recommend
More recommend